Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
16059
Views
5
Helpful
13
Replies

Prioritize VoIP on ASA

Go to solution
NInja Black
Beginner
Beginner

‎06-18-2014 09:18 AM - edited ‎03-11-2019 09:20 PM

Hi,

 We have an ASA 5515 connected to the ISP router.  Being a call center I wanted to prioritize VoIP traffic. First of all is there a need to do this. We have comcast pipe of 50Mbps which is more than enough. I had the firewall set up 2 weeks ago and am facing no issues so far. We use Five9 softphones. I alread have inspect sip in the global policy. Yet little concerned and wanted to know what needs to be done in order to achieve QoS..

 

Any insight is grealy appreciated.

 

1 person had this problem
Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Marius Gunnerud
VIP Advisor VIP Advisor
VIP Advisor
In response to NInja Black

‎06-22-2014 06:14 AM

Not a stupid question at all.

The ASA can only provide low latency queuing (LLQ) and not the more advanced QoS features that routers have...such as WFQ, CBWFQ.  So doing bandwidth reservation is not possible.

You can however adjust the queue size and the transmit (tx) rate.  And you could prioritize VOIP traffic but the then police all other traffic to a value lower than the total bandwidth...That way if there is a bandwidth hog in the default class you would still have 20% or so bandwidth allocated for the VOIP class.  So, lets say you have a 3Mb line and you want to limit default traffic to 2Mb and leave the remaining for VOIP.  That setup would look something like the following:

class-map voip-inside-class
        description VoIP traffic
        match dscp ef


      policy-map voip-inside-policy
        description voip on inside interface
        class voip-inside-class
          priority
        class class-default
          shape average 2000000 8192

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts

View solution in original post

0 Helpful
13 Replies 13

Go to solution
Marius Gunnerud
VIP Advisor VIP Advisor
VIP Advisor

‎06-18-2014 11:34 PM

I would suggest configuring QoS...especially if the users will also be allowed to access the internet.  You never know how much video streaming users will be doing especially now during the football world cup...and similar events.

Just keep in mind that QoS is not supported on ASAs running in multiple context mode, only supported in single mode

The following links gives a good example of how to configure QoS on the ASA.  The first link says it is for ASA 7.x but the syntax is the same for the other versions as well.

http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/82310-qos-voip-vpn.html

http://www.cisco.com/c/en/us/td/docs/security/asa/asa91/configuration/firewall/asa_91_firewall_config/conns_qos.html

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts

Go to solution
NInja Black
Beginner
Beginner
In response to Marius Gunnerud

‎06-21-2014 01:33 PM

Thanks for the reply Marius.

 

 I have the following QOS planned and have few questions below

 

class-map voip-inside-class
        description VoIP traffic
        match dscp 34 24 46


      policy-map voip-inside-policy
        description voip on inside interface
        class voip-inside-class
          priority
          user-statistics accounting


      service-policy voip-inside-policy interface inside

 

- Does dscp 34 24 46 cover all voip traffic?

- Which interface should it be applied to? I got inside.

- Shouldn't the priority statement have a % range? I read that in policing/traffic shaping ranges can be set. How to set range in priority queuing?

0 Helpful

Go to solution
Marius Gunnerud
VIP Advisor VIP Advisor
VIP Advisor
In response to NInja Black

‎06-21-2014 01:54 PM

Normally when dealing with VOIP I only match on DSCP 46 (EF) when doing priority.  If you match on 34 and 23 you will also be prioritizing traffic that technically should not be prioritized.

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts
0 Helpful

Go to solution
NInja Black
Beginner
Beginner
In response to Marius Gunnerud

‎06-21-2014 02:19 PM

Understood. Will remove the dscp 24 and 34.

But shouldn't there be a priority percentage to specify bandwidth to be utilized by the traffic?

By my config voip is given priority but in case a huge file transfer is utilizing all of the bandwidth can't I reserve atleast 20% of the total bandwidth such that voip calls don't get effected.

I apologize if my question is stupid. Want to make sure it works the way I understand it.

Appreciate your response.

0 Helpful

Go to solution
Marius Gunnerud
VIP Advisor VIP Advisor
VIP Advisor
In response to NInja Black

‎06-22-2014 06:14 AM

Not a stupid question at all.

The ASA can only provide low latency queuing (LLQ) and not the more advanced QoS features that routers have...such as WFQ, CBWFQ.  So doing bandwidth reservation is not possible.

You can however adjust the queue size and the transmit (tx) rate.  And you could prioritize VOIP traffic but the then police all other traffic to a value lower than the total bandwidth...That way if there is a bandwidth hog in the default class you would still have 20% or so bandwidth allocated for the VOIP class.  So, lets say you have a 3Mb line and you want to limit default traffic to 2Mb and leave the remaining for VOIP.  That setup would look something like the following:

class-map voip-inside-class
        description VoIP traffic
        match dscp ef


      policy-map voip-inside-policy
        description voip on inside interface
        class voip-inside-class
          priority
        class class-default
          shape average 2000000 8192

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts
0 Helpful

Go to solution
NInja Black
Beginner
Beginner
In response to Marius Gunnerud

‎06-22-2014 07:01 PM

Marius, You are awesome!!! Thanks!

0 Helpful

Go to solution
Mohammed Yusuf
Beginner
Beginner
In response to Marius Gunnerud

‎12-13-2016 01:09 AM

Hi Marius,

I am trying to follow your example on ASA 5505 9.3.1 Version. I could do run the commands up to here 

class-map voip-inside-class
description VoIP traffic
match dscp ef


policy-map voip-inside-policy
description voip on inside interface
class voip-inside-class
priority 

Class class-default

but unable to find 

shape average 2000000 8192

would you please advise what will it achive? as I have been searching QOS on ASA for VoIP traffic or may be limit it to 6mb.

0 Helpful

Go to solution
Marius Gunnerud
VIP Advisor VIP Advisor
VIP Advisor
In response to Mohammed Yusuf

‎12-25-2016 06:42 AM

In newer versions of ASA shaping is not supported, and therefore you will only be able to police traffic.

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts
0 Helpful

Go to solution
Mohammed Yusuf
Beginner
Beginner
In response to Marius Gunnerud

‎12-25-2016 09:57 AM

Thanks Marius.

what is the best way for voip? Is policing better or prioritising better on Asa?

0 Helpful

Go to solution
Marius Gunnerud
VIP Advisor VIP Advisor
VIP Advisor
In response to Mohammed Yusuf

‎12-27-2016 11:06 PM

The best for VOIP is to prioritize.  Policing should never really be used for time sensitive traffic.

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts
0 Helpful

Go to solution
RolandNyalundja9197
Beginner
Beginner
In response to Marius Gunnerud

‎08-28-2019 02:19 AM

ERROR: Shape not allowed with legacy priority in the same policy-map
---------
This is the message appears when i run this configuration.
Any ideas to fix it ?
0 Helpful

Go to solution
nkarthikeyan
Rising star
Rising star
In response to NInja Black

‎06-21-2014 10:59 PM

Hi,

Please perform the below mentioned changes in your FW.

class-map voip-inside-class
        description VoIP traffic
        match dscp ef

!

expedited forwarding is the term which is used voip ptraffic. So this will do as you need.

 

Traffic TypeLayer 2 CoSLayer 3 IP PrecedenceLayer 3 DSCP
Voice RTP155EF
Voice control33AF31
Video conference44AF41
Streaming video (IP/TV)11AF13
Data0-20-2

0-AF23

0 Helpful

Go to solution
NInja Black
Beginner
Beginner
In response to nkarthikeyan

‎06-22-2014 07:02 PM

Thanks for the table Karthik. Very helpful!

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers
Spotlight Award Nomination
Customers Also Viewed These Support Documents